ibm os 390 server user manual

OS/390 IBM

Security Server (RACF)Planning: Installation and Migration

GC28-1920-03

Note

Before using this information and the product it supports, be sure to read the general information under “Notices” on page vii.

Fourth Edition, September 1997

This is a major revision of GC28-1920-02.

This edition applies to Version 2 Release 4 of OS/390 (5647-A01) and to all subsequent releases and modifications until otherwiseindicated in new editions.

Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at theaddress below.

IBM welcomes your comments. A form for readers' comments may be provided at the back of this publication, or you may addressyour comments to the following address:

International Business Machines CorporationDepartment 55JA, Mail Station P384522 South RoadPoughkeepsie, NY 12601-5400United States of America

FAX (United States & Canada): 1+914+432-9405FAX (Other Countries):

Your International Access Code +1+914+432-9405

IBMLink (United States customers only): KGNVMC(MHVRCFS)IBM Mail Exchange: USIB6TC9 at IBMMAILInternet e-mail: [email protected] Wide Web: http://www.s390.ibm.com/os390

If you would like a reply, be sure to include your name, address, telephone number, or FAX number.

Make sure to include the following in your comment or note:

� Title and order number of this book� Page number or topic related to your comment

When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believesappropriate without incurring any obligation to you.

Copyright International Business Machines Corporation 1994, 1997. All rights reserved.Note to U.S. Government Users — Documentation related to restricted rights — Use, duplication or disclosure is subject torestrictions set forth in GSA ADP Schedule Contract with IBM Corp.

Contents

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiWho Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiHow to Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

Where to Find More Information . . . . . . . . . . . . . . . . . . . . . . . . . xiiIBM Systems Center Publications . . . . . . . . . . . . . . . . . . . . . . . . . xiiiOther Sources of Information . . . . . . . . . . . . . . . . . . . . . . . . . . . xivTo Request Copies of IBM Publications . . . . . . . . . . . . . . . . . . . . . xv

Summary of Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Chapter 1. Planning for Migration . . . . . . . . . . . . . . . . . . . . . . . . . 1Migration Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Installation Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Customization Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Administration Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Auditing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Application Development Considerations . . . . . . . . . . . . . . . . . . . . . . . 3General User Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2. Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5New and Enhanced Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

RACF/DB2 External Security Module . . . . . . . . . . . . . . . . . . . . . . . . 5Enhancements to Support for OpenEdition Services . . . . . . . . . . . . . . . 6Run-Time Library Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Password History Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . 7Tivoli Management Environment (TME) 10 Global Enterprise Management

User Administration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Program Control by System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . 8New FMID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9OW24966 Enhancements to TARGET Command . . . . . . . . . . . . . . . . 9Enable/Disable Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10OW26237 Enhancements of Global Access Checking . . . . . . . . . . . . . 10

Chapter 3. Summary of Changes to RACF Components for OS/390Release 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Callable Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Class Descriptor Table (CDT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Data Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Exits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Macros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

New Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Changed Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Deleted Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Copyright IBM Corp. 1994, 1997 iii

SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Publications Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4. Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . 21Migration Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Migration Paths for OS/390 Release 4 Security Server (RACF) . . . . . . . . . 21Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

OpenEdition MVS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Program Control by System ID . . . . . . . . . . . . . . . . . . . . . . . . . . 23RELEASE=2.4 Keyword on Macros . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5. Installation Considerations . . . . . . . . . . . . . . . . . . . . . . 25RACF Storage Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Virtual Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Templates for RACF on OS/390 Release 4 . . . . . . . . . . . . . . . . . . . . . 27

Chapter 6. Customization Considerations . . . . . . . . . . . . . . . . . . . 29Customer Additions to the Router Table and the CDT . . . . . . . . . . . . . . 29RACF/DB2 External Security Module Customization . . . . . . . . . . . . . . . 29Exit Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 7. Administration Considerations . . . . . . . . . . . . . . . . . . . 31The TMEADMIN Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Password History Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Program Control by System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Enhancements of Global Access Checking . . . . . . . . . . . . . . . . . . . . . 32

Chapter 8. Auditing Considerations . . . . . . . . . . . . . . . . . . . . . . . 33SMF Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 9. Application Development Considerations . . . . . . . . . . . . . 35Programming Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35RELEASE=2.4 Keyword on Macros . . . . . . . . . . . . . . . . . . . . . . . . . 35FASTAUTH Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 10. General User Considerations . . . . . . . . . . . . . . . . . . . . 37Password History Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

How to Get Your RACF CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

iv OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Figures

1. New Callable Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112. Changed Callable Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 123. New Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134. Changes to RACF Commands . . . . . . . . . . . . . . . . . . . . . . . . . 135. Changes to PSPI Data Areas . . . . . . . . . . . . . . . . . . . . . . . . . 166. Changed Executable Macros . . . . . . . . . . . . . . . . . . . . . . . . . . 177. New Panels for RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198. Changed Panels for RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . 199. Change to SYS1.SAMPLIB . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

10. Changes to the RACF Publications Library . . . . . . . . . . . . . . . . . . 2011. RACF Estimated Storage Usage . . . . . . . . . . . . . . . . . . . . . . . 2512. Changes to SMF Records . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Copyright IBM Corp. 1994, 1997 v

vi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Notices

References in this publication to IBM products, programs, or services do not implythat IBM intends to make these available in all countries in which IBM operates.

Any reference to an IBM product, program, or service is not intended to state orimply that only IBM's product, program, or service may be used. A functionallyequivalent product, program, or service which does not infringe on any of IBM'sintellectual property rights may be used instead of the IBM product, program, orservice. Evaluation and verification of operation in conjunction with other products,programs, or services, except those expressly designated by IBM, is the user'sresponsibility.

IBM may have patents or pending patent applications covering subject matter inthis document. The furnishing of this document does not give you any license tothese patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation

500 Columbus AvenueThornwood, NY 10594

USA

Licensees of this program who wish to have information about it for the purpose ofenabling: (i) the exchange of information between independently created programsand other programs (including this one) and (ii) the mutual use of the informationwhich has been exchanged, should contact:

IBM CorporationMail Station P300522 South RoadPoughkeepsie, NY 12601-5400USAAttention: Information Request

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

Copyright IBM Corp. 1994, 1997 vii

viii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Trademarks

The following terms are trademarks of the IBM Corporation in the United States orother countries or both:

� AIX/6000 � BookManager � CICS � CICS/ESA � DB2 � DFSMS � FFST � FFST/MVS � IBM � IBMLink � IMS � Library Reader � MVS/ESA � MVS/XA � NetView � OpenEdition � OS/2 � OS/390 � Parallel Sysplex � RACF � RETAIN � S/390 � SOMobjects � System/390 � SystemView � TalkLink � VM/ESA � VM/XA

UNIX is a registered trademark in the United States and other countries licensedexclusively through X/Open Company Limited.

Windows is a trademark of Microsoft Corporation.

Other company, product, and service names, which may be denoted by a doubleasterisk (**), may be trademarks or service marks of others.

Copyright IBM Corp. 1994, 1997 ix

x OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

About This Book

This book contains information about the Resource Access Control Facility (RACF),which is part of the OS/390 Security Server. The Security Server has twocomponents:

� RACF� OpenEdition DCE Security Server

For information about the OpenEdition DCE Security Server, see the publicationsrelated to that component.

This book provides information to guide you through the migration process fromOS/390 Release 3 Security Server (RACF) or RACF to OS/390 Release 4 SecurityServer (RACF).

The purpose of this book is to ensure an orderly transition to a new RACF release.It is not intended for customers installing RACF for the first time or installing arelease prior to Security Server (RACF) Release 3. First-time RACF customersshould read OS/390 Security Server (RACF) Introduction and use the programdirectory shipped with the product when they are ready to install the product.

Who Should Use This BookThis book is intended for experienced system programmers responsible formigrating from OS/390 Release 3 Security Server (RACF) to OS/390 Release 4Security Server (RACF). This book assumes you have knowledge of OS/390Release 3 Security Server (RACF).

If you are migrating from a RACF 2.2, or earlier, or from an OS/390 Security Serverrelease prior to OS/390 Release 3, you should also read previous versions of thisbook, as described in “Migration Paths for OS/390 Release 4 Security Server(RACF)” on page 21.

How to Use This BookThis book is organized in the following order:

� Chapter 1, “Planning for Migration” on page 1, provides information to help youplan your installation's migration to the new release of RACF.

� Chapter 2, “Release Overview” on page 5, provides an overview of support inthe new release.

� Chapter 3, “Summary of Changes to RACF Components for OS/390 Release4” on page 11, lists specific new and changed support for the new release.

� Chapter 4, “Planning Considerations” on page 21, describes high-levelmigration considerations for customers upgrading to the new release of RACFfrom previous levels of RACF.

� Chapter 5, “Installation Considerations” on page 25, highlights informationabout installing the new release of RACF.

Copyright IBM Corp. 1994, 1997 xi

� Chapter 6, “Customization Considerations” on page 29, highlights informationabout customizing function to take advantage of new support after the newrelease of RACF is installed.

� Chapter 7, “Administration Considerations” on page 31, summarizes changesto administration procedures for the new release of RACF.

� Chapter 8, “Auditing Considerations” on page 33, summarizes changes toauditing procedures for the new release of RACF.

� Chapter 9, “Application Development Considerations” on page 35, identifieschanges in the new release of RACF that might require changes to aninstallation's existing programs.

� Chapter 10, “General User Considerations” on page 37, summarizes newsupport that might affect general user procedures.

Where to Find More InformationWhere necessary, this book references information in other books. For completetitles and order numbers for all products that are part of OS/390, see OS/390Information Roadmap.

Softcopy PublicationsThe OS/390 Security Server (RACF) library is available on the following CD-ROMs.The CD-ROM collections include the IBM Library Reader, a program that enablescustomers to read the softcopy books.

� The OS/390 Security Server (RACF) Information Package, SK2T-2180

This softcopy collection kit contains the OS/390 Security Server (RACF) library.It also contains the RACF/MVS Version 2 product libraries, the RACF/VM 1.10product library, product books from the OS/390 and VM collections,International Technical Support Organization (ITSO) books, and WashingtonSystem Center (WSC) books that contain substantial amounts of informationrelated to RACF. The kit does not contain any licensed publications. By usingthis CD-ROM, you have access to RACF-related information from IBM productssuch as OS/390, VM, CICS, and NetView without maintaining shelves ofhardcopy documentation or handling multiple CD-ROMs. To get moreinformation on the OS/390 Security Server (RACF) Information Package, seethe advertisement at the back of the book.

� The OS/390 Collection Kit, SK2T-6700

This softcopy collection contains a set of OS/390 and related product books.This kit contains unlicensed books.

� The Online Library Omnibus Edition MVS Collection Kit, SK2T-0710

This softcopy collection contains a set of key MVS and MVS-related productbooks. It also includes the RACF Version 2 product libraries. OS/390 SecurityServer (RACF) Messages and Codes is also available as part of Online LibraryProductivity Edition Messages and Codes Collection, SK2T-2068.

xii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

RACF CoursesThe following RACF classroom courses are also available:

� Effective RACF Administration, H3927� MVS/ESA RACF Security Topics, H3918� Implementing RACF Security for CICS/ESA, H3992

IBM provides a variety of educational offerings for RACF. For more information onclassroom courses and other offerings, see your IBM representative, IBMMainframe Training Solutions, GR28-5467, or call 1-800-IBM-TEACH(1-800-426-8322).

IBM Systems Center PublicationsIBM systems centers produce “red” and “orange” books that can be helpful insetting up and using RACF.

These books have not been subjected to any formal review nor have they beenchecked for technical accuracy, but they represent current product understanding(at the time of their publication) and provide valuable information on a wide rangeof RACF topics. They are not shipped with RACF. You must order themseparately. A selected list of these books follows:

� Systems Security Publications Bibliography, G320-9279

� Elements of Security: RACF Overview - Student Notes, GG24-3970

� Elements of Security: RACF Installation - Student Notes, GG24-3971

� Elements of Security: RACF Advanced Topics - Student Notes, GG24-3972

� RACF Version 2 Release 2 Technical Presentation Guide, GG24-2539

� RACF Version 2 Release 2 Installation and Implementation Guide, SG24-4580

� Enhanced Auditing Using the RACF SMF Data Unload Utility, GG24-4453

� RACF Macros and Exit Coding, GG24-3984

� RACF Support for Open Systems Technical Presentation Guide, GG26-2005

� DFSMS and RACF Usage Considerations, GG24-3378

� Introduction to System and Network Security: Considerations, Options, andTechniques, GG24-3451

� Network Security Involving the NetView Family of Products, GG24-3524

� System/390 MVS Sysplex Hardware and Software Migration, GC28-1210

� Secured Single Signon in a Client/Server Environment, GG24-4282

� Tutorial: Options for Tuning RACF, GG22-9396

| � OS/390 Security Server Audit Tool and Report Application, SG24-4820

Other books are available, but they are not included in this list, either because theinformation they present has been incorporated into IBM product manuals, orbecause their technical content is outdated.

About This Book xiii

Other Sources of InformationIBM provides customer-accessible discussion areas where RACF may bediscussed by customer and IBM participants. Other information is available throughthe Internet.

IBM Discussion AreasTwo discussion areas provided by IBM are the MVSRACF discussion and theSECURITY discussion.

� MVSRACF

MVSRACF is available to customers through IBM's TalkLink offering. To accessMVSRACF from TalkLink:

1. Select S390 (the S/390 Developers' Association).2. Use the fastpath keyword: MVSRACF.

� SECURITY

SECURITY is available to customers through IBM's DialIBM offering, whichmay be known by other names in various countries. To access SECURITY:

1. Use the CONFER fastpath option.2. Select the SECURITY CFORUM.

Contact your IBM representative for information on TalkLink, DialIBM, or equivalentofferings for your country and for more information on the availability of theMVSRACF and SECURITY discussions.

Internet SourcesThe following resources are available through the Internet:

� RACF home page

You can visit the RACF home page on the World Wide Web using this address:

http://www.s39ð.ibm.com/products/racf/racfhp.html

or

http://www.s39ð.ibm.com/racf

� RACF-L discussion list

Customers and IBM participants may also discuss RACF on the RACF-Ldiscussion list. RACF-L is not operated or sponsored by IBM; it is run by theUniversity of Georgia.

To subscribe to the RACF-L discussion, so you can receive postings, send anote to:

[email protected]

Include the following line in the body of the note, substituting your first nameand last name as indicated:

subscribe racf-l first_name last_name

To post a question or response to RACF-L, send a note to:

[email protected]

Include an appropriate Subject: line.

� Sample code

xiv OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

You can get sample code, internally-developed tools, and exits to help you useRACF. All this code works in our environment, at the time we make it available,but is not officially supported. Each tool or sample has a README file thatdescribes the tool or sample and any restrictions on its use.

The simplest way to reach this code is through the RACF home page. From thehome page, click on System/390 FTP Servers under the topic, “RACF SampleMaterials.”

The code is also available from lscftp.pok.ibm.com through anonymous ftp .

To get access:

1. Log in as user anonymous .

2. Change the directory (cd ) to /pub/racf/mvs to find the subdirectories thatcontain the sample code. We'll post an announcement on RACF-L,MVSRACF, and SECURITY CFORUM whenever we add anything.

Restrictions

Because the sample code and tools are not officially supported,

� There are no guaranteed enhancements.� No APARs can be accepted.

The name and availability of the ftp server may change in the future. We'llpost an announcement on RACF-L, MVSRACF, and SECURITY CFORUMif this happens.

However, even with these restrictions, it should be useful for you to haveaccess to this code.

To Request Copies of IBM PublicationsDirect your request for copies of any IBM publication to your IBM representative orto the IBM branch office serving your locality.

There is also a toll-free customer support number (1-800-879-2755) availableMonday through Friday from 6:30 a.m. through 5:00 p.m. Mountain Time. You canuse this number to:

� Order or inquire about IBM publications

� Resolve any software manufacturing or delivery concerns

� Activate the Program Reorder Form to provide faster and more convenientordering of software updates

See the advertisement at the back of the book for information about the OS/390Security Server (RACF) Information Package.

About This Book xv

xvi OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Summary of Changes

| Summary of Changes| for GC28-1920-03| OS/390 Version 2 Release 4

| This book contains primarily new information for OS/390 Version 2 Release 4| Security Server (RACF). When any information appeared in an earlier release, the| information that is new is indicated by a vertical line to the left of the change.

Summary of Changesfor GC28-1920-02OS/390 Release 3

This book contains new information for OS/390 Release 3 Security Server (RACF).


This book contains new information for OS/390 Release 2 Security Server (RACF).


This book contains information previously presented in RACF Planning: Installationand Migration, GC23-3736, which supports RACF Version 2 Release 2.

This book includes terminology, maintenance, and editorial changes.

Copyright IBM Corp. 1994, 1997 xvii

xviii OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Chapter 1. Planning for Migration

This chapter provides information to help you plan your installation's migration tothe new release of OS/390 Security Server (RACF). Before attempting to migrate,you should define a plan to ensure a smooth and orderly transition. A wellthought-out and documented migration plan can help minimize any interruption ofservice. Your migration plan should address such topics as:

� Identifying which required and optional products are needed� Evaluating new and changed functions� Evaluating how incompatibilities affect your installation� Defining necessary changes to:

– Installation-written code – Operational procedures – Application programs

– Other related products� Defining education requirements for operators and end users� Preparing your staff and end users for migration, if necessary� Acquiring and installing the latest service level of RACF for maintenance

The content and extent of a migration plan can vary significantly from installation toinstallation. To successfully migrate to a new release of RACF, you should start byinstalling and stabilizing the new RACF release without activating the new functionsprovided. Installing the new RACF release without initially exploiting new functionsallows you to maintain a stable RACF environment. The program directory shippedwith the new OS/390 release gives detailed information about the correct softwarerequired for installation.

When defining your installation's migration plan, you should consider the following:

� Migration � Installation � Customization � Administration � Auditing � Operation � Application development � General users

Migration Planning ConsiderationsInstallations planning to migrate to a new release of RACF must consider high-levelsupport requirements such as machine and programming restrictions, migrationpaths, and program compatibility.

For more information, see Chapter 4, “Planning Considerations” on page 21.

Copyright IBM Corp. 1994, 1997 1

Installation ConsiderationsBefore installing a new release of RACF, you must determine what updates areneeded for IBM-supplied products, system libraries, and non-IBM products.(Procedures for installing RACF are described in the program directory shipped withOS/390, not in this book.)

Be sure you include the following steps when planning your pre-installationactivities:

� Obtain and install any required program temporary fixes (PTFs) or updatedversions of the operating system.

Call the IBM Software Support Center to obtain the preventive service planning(PSP) upgrade for RACF. This provides the most current information on PTFsfor RACF. Have RETAIN checked again just before testing RACF. Informationfor requesting the PSP upgrade can be found in the program directory.Although the program directory contains a list of the required PTFs, the mostcurrent information is available from the support center.

� Contact programmers responsible for updating programs.

Verify that your installation's programs will continue to run, and, if necessary,make changes to ensure compatibility with the new release.

For more information, see Chapter 5, “Installation Considerations” on page 25.

Customization ConsiderationsIn order for RACF to meet the specific requirements of your installation, you cancustomize function to take advantage of new support after the product is installed.For example, you can tailor RACF through the use of installation exit routines, classdescriptor table (CDT) support, or options to improve performance. This book listschanges to RACF that might require the installation to tailor the product, either toensure that RACF runs as before or to accommodate new security controls that aninstallation requires.

For more information, see Chapter 6, “Customization Considerations” on page 29.

Administration ConsiderationsSecurity administrators must be aware of how changes introduced by a newproduct release can affect an installation's data processing resources. Changes toreal and virtual storage requirements, performance, security, and integrity are ofinterest to security administrators or to system programmers who are responsiblefor making decisions about the computing system resources used with a program.

For more information, see Chapter 7, “Administration Considerations” on page 31.

2 OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration

Auditing ConsiderationsAuditors who are responsible for ensuring proper access control and accountabilityfor their installation are interested in changes to security options, audit records, andreport generation utilities.

For more information, see Chapter 8, “Auditing Considerations” on page 33.

Application Development ConsiderationsApplication development programmers must be aware of new functions introducedin a new release of RACF. To implement a new function, the applicationdevelopment personnel should read this book and the following books:

� OS/390 Security Server External Security Interface (RACROUTE) MacroReference

� OS/390 Security Server (RACF) Data Areas� OS/390 Security Server (RACF) Macros and Interfaces

To ensure that existing programs run as before, the application programmersshould be aware of any changes in data areas and processing requirements. Thisbook provides an overview of the changes that might affect existing applicationprograms.

For more information, see Chapter 9, “Application Development Considerations” onpage 35.

General User ConsiderationsRACF general users use a RACF-protected system to:

� Log on to the system

� Access resources on the system

� Protect their own resources and any group resources to which they haveadministrative authority

This book provides an overview of the changes that might affect existingprocedures for general users. For more information, see Chapter 10, “General UserConsiderations” on page 37.

Chapter 1. Planning for Migration 3

Chapter 2. Release Overview

This chapter lists the new and enhanced functions of RACF for OS/390 Release 4and gives a brief overview of each new function or function enhancement.

New and Enhanced SupportFor OS/390 Release 4, RACF provides:

� Support for the RACF/DB2 external security module

� Additional auditing of OpenEdition superusers status

� Default OpenEdition USER/GROUP support

� Run-time library services support

� Password history enhancements

� OW23445 enhancement to allow RACF user profile administration using TivoliManagement Environment (TME) administration service

� OW25727 enhancement to allow program control by system ID

� New FMID

� OW24966 enhancements to TARGET command

� Enable/disable changes

� OW26237 enhancements to global access checking

RACF/DB2 External Security ModuleThe Security Server for OS/390 Release 4 is providing a new function that givesyou the ability to control access to DB2 objects using RACF profiles. This functionis provided as a fully supported exit module called the RACF/DB2 external securitymodule. If you choose to use this new support, the module is designed to receivecontrol from the DB2 access control authorization exit point. The highlights of thesupport include:

� Single point of control for administering and auditing DB2 access

� Ability to define security rules before a DB2 object is created

� Ability to have security rules persist when a DB2 object is dropped

� Ability to control access to DB2 objects with generic profiles

� Flexibility to control access to DB2 objects for single or multiple subsystemswith a single set of RACF profiles

� Ability to validate a user ID before permitting it access to a DB2 object

� Elimination of DB2 cascading revoke

Use of this function requires the DB2 access control authorization exit point functionprovided in DB2 Version 5.


Enhancements to Support for OpenEdition ServicesEnhancements to RACF's support for OpenEdition services include:

� Extended ability to audit the use of superuser status� Default USER/GROUP support provided by APAR OW26800

Extended Ability to Audit the Use of Superuser StatusThis support allows the auditing of the new OpenEdition spawn service. Itdetermines when a user is a superuser and the identity of that user. This extendedaudit function allows a full audit trail that can be used to ensure that security isadequate.

Auditing the use of superuser status is performed using the ck_priv event code andthe PROCESS class processing to audit UID and GID changes. The audit functioncode 101 is added.

If you are not already auditing the PROCESS class, issue SETROPTSLOGOPTIONS(xxxx(PROCESS)) to obtain the SMF TYPE80 record ck_priv.

Default USER/GROUP OMVS Segment Provided by APAROW26800RACF allows definition of a system-wide default for OMVS segment information,making it possible for users not specifically defined OpenEdition MVS users tomake use of OpenEdition services.

With this release, OpenEdition sockets are the primary socket interface . To utilizethis support, RACF provides the ability to define default OpenEdition information bysetting a system-wide option.

Previously, to use OpenEdition services, you needed to have a RACF USER profilewith an OMVS segment containing a UID and a current connect group that had aGROUP profile with an OMVS segment containing a GID. If these were notavailable, the initUSP service failed and the process could not use OpenEditionservices.

Now, if no OMVS segment is found in the USER profile during initUSP processing,the default OMVS segment is used. If the default is found, it is used to set the UID,HOME, and PROGRAM values for the user. If no default value is found, theinitUSP fails with the existing RACF return code of 8 and reason code of 20.

The same processing is done for the user's current connect group. If no OMVSsegment is found in the GROUP profile, the default is used. If no default value isfound, the initUSP fails with the existing RACF return code of 8 and reason code of8.

After a default UID, GID, or both are assigned, initUSP processing continues. If theuser is connected to additional RACF groups and list-of-groups processing isactive, the supplemental group list is built using the GIDs of these additionalgroups. No default processing occurs while the supplemental group list is built.

When initUSP assigns a default UID, GID, or both, it sets a bit in the user's USP toindicate that it is a default USP. This bit causes an additional relocate section to beadded to any SMF TYPE80 records written by RACF callable services for this user.


The getUMAP and getGMAP services also look for default values. If getUMAP isgiven a UID as input and the corresponding USER profile has no OMVS segment,the caller of the getUMAP service receives the default. If no default value is found,RACF return code 8, reason code 4 are returned by the getUMAP service. If a UIDis passed to getUMAP, then it returns a user ID, which is likely to return the user IDof the default user.

Similarly, if getGMAP is given a GID as input and the corresponding GROUP profilehas no OMVS segment, the caller of the getGMAP service receives the default. Ifno default value is found, RACF return code 8, reason code 4 are returned by thegetGMAP service. If a GID is passed to getGMAP, it returns a group name, whichis likely to return the group name of the default group.

The default OMVS segments reside in a USER profile and a GROUP profile. Theinstallation selects the names of these profiles, using a profile in the FACILITYclass. The name of the FACILITY class profile is BPX.DEFAULT.USER. Theapplication data field contains the user ID and the group name. The user profile forthe user ID specified contains the UID, and the group profile for the group namespecified contains the GID.

In order to use this default USER/GROUP support, the following need to be done:

� Make the FACILITY class active.

� Define BPX.DEFAULT.USER with APPLDATA('uuuu/gggg') where uuuuspecifies a default user ID of 1-8 characters and gggg specifies a default groupname of 1-8 characters. The USER profile uuuu needs to have an OMVSsegment with the default UID, HOME, and PROGRAM. The GROUP profilegggg needs to have an OMVS segment giving the default GID.

� If only default user information is needed, use APPLDATA ('uuuu').

The processing of the default OMVS segments for the user and the currentconnection group are independent of each other. The OMVS segment of the userspecified on the initUSP may be used to obtain the UID, and the user may comefrom the group ID specified in the FACILITY class profile. Similarly, when thedefault UID found through the user ID specified in the FACILITY class profile isused, the GID may come from the user's current connect group. Also the userspecified in the FACILITY class profile does not need to be a member of the groupspecified in that profile. These values are used independently.

Run-Time Library ServicesThe Run-Time Library Services (RTLS) of OS/390 introduce new contentssupervisor support to facilitate the binding of applications to a specific languagerun-time environment defined on an installation basis. System programmers canuse FACILITY class profiles and RACF's program control when there is a need tocontrol access to run-time libraries and the programs that use the run-time libraries.

Password History EnhancementsThe password history enhancement makes it easier for installations to prevent endusers from circumventing password history security policy. The old password issaved in the password history list when a password is reset by an administrator.

The following commands have been modified to save the old password wheneverthe password is reset:

Chapter 2. Release Overview 7

� The ALTUSER command allows an administrator to reset a user's password toa temporary password or a default value. This command is modified to save theold password whenever the password is reset.

� The PASSWORD USER (userid) command provides users and administratorswith a password reset function. This command is modified to save the oldpassword whenever the password is reset.

Tivoli Management Environment (TME) 10 Global EnterpriseManagement User Administration Service

The Tivoli Management Environment (TME) 10 Global Enterprise Manager UserAdministration Service provides the ability to manage UNIX, Windows NT,NetWare, and RACF accounts from a single, common interface (either graphical orcommand line). The RACF support for this, which was provided by APARsOW23445 and OW23446, includes:

The TMEADMIN class, which is used to map a TME administrator to a RACF userID.

Callable services to:

� Derive a session key from a previously generated RACF PassTicket. The TivoliManagement Region (TMR) TCP/IP server uses such session keys to encryptand decrypt administrative data that flows between the TMR server andOS/390.

� Convey RACF administrative changes to RACF. The new R_Admin callableservice provides a function-code driven parameter list with data fields consistingof name-value pairs. This name-value pair support is used by the TME useradministration service to add or update the following RACF user profileinformation:

– BASE profile information

– OMVS segment

– NETVIEW segment

– TSO segment

– CICS segment

In addition to the above, the R_Admin callable service provides a run commandfunction in which most RACF TSO commands may be executed.

Changes to the RACF TSO command ALTUSER. The NOCLAUTH key will nowaccept an asterisk ('*') to indicate removal of all of the user's CLAUTH authorities.

Program Control by System IDRACF provides a means to restrict access to a program based on the systemidentifier (SMFID). This additional program control by system ID improves systemmanagement and usability of program products in a sysplex environment. It alsoeliminates error-prone manual procedures, the need to keep DASD that is notshared, and the potential savings on licensing fees by controlling which systems ina sysplex the licensed software may execute on. Previously many customerscomplied with licensing agreements by paying for ALL system that the softwareCOULD run on because there was no easy way to restrict access to a particular


system. This support provides a solution to many customers that find themselves insuch a situation.

The PERMIT command has a new keyword to add users and groups to theconditional access list, WHEN(SYSID(...)). This keyword is allowed only for thePROGRAM class. WHEN(SYSID(...)) is similar to the existing keywordsWHEN(TERMINAL(...)), WHEN(PROGRAM(...)), and WHEN(JESINPUT(...)). Noclass is associated with SYSID. In addition, no check is made to determine whetherthe value specified for SYSID is valid.

A new error message is issued if WHEN(SYSID(...)) is specified for a class otherthan PROGRAM. When copying a conditional access list from a PROGRAM profileto a non-PROGRAM profile, WHEN(SYSID(...)) entries are not copied. Nomessages are issued if this is the case. This applies to ADDSD FROM, RDEFINEFROM, RACROUTE REQUEST=DEFINE with modeling, and PERMIT FROM.

New FMIDOS/390 Release 4 Security Server (RACF) has a new FMID, HRF2240. AlthoughRACF, as a component of the OS/390 Security Server, no longer has a version,release, and modification level of its own, for compatibility with previous versionsand releases of RACF the new FMID is treated as if it represented version 2.4.0.The RCVT contains the value 2040 to identify the RACF level. The ICHEINTY,ICHEACTN, and ICHETEST macros accept the keyword RELEASE=2.4, althoughthey support no new keywords that would require the RELEASE=2.4 keyword.

OW24966 Enhancements to TARGET CommandThe RACF TARGET command now accepts the new keyword WDSQUAL to allowallocation of the work space data sets when the system name starts with a numericcharacter. This keyword indicates that the variable that follows is the middlequalifier used by RRSF for the workspace data set qualifier names of the INMSGand OUTMSG queues for the local RRSF node defined by the TARGET command.WDSQUAL cannot be used for a remote node.

The format for the qualified name is prefix.wdsqual. ds_identity. wdsqual can befrom 1 to 8 characters long beginning with an alphabetic character. Initial numeralsare not accepted. The formation of the workspace data set names can be changeduntil the data sets are allocated. Specifying WDSQUAL on another TARGETcommand after its node has become dormant or operative is not allowed.Specifying of WDSQUAL on the same command is allowed.

If you have any TARGET commands in your IRROPTxx RACF parameter librarymember that specify the WORKSPACE keyword abbreviated to a W, you need toincrease the length of that keyword to at least WO so it is not mistaken for the newWDSQUAL keyword which is now represented as W. It is recommended that theuse of abbreviations be avoided in clists, REXX execs, and parmlib statements.

If WDSQUAL is not specified, the previously used format for the data set names isused. This is prefix.sysname.INMSG and prefix.sysname.OUTMSG.

For more information on the TARGET command, see OS/390 Security Server(RACF) Command Language Reference.

Chapter 2. Release Overview 9

Enable/Disable ChangesOS/390 Version 2 Release 4 has a new product ID that affects the enable/disablefunction in all of its elements including the Security Server. The ID() value used inthe IFAPRDxx parmlib member needs to be "5647-A01". The remainder of theparameters remain the same. Without this necessary change to the ID() parameter,the Security Server will not initialize. In order to keep from making changes in thefuture, you can use the value ID(*). For more information, see OS/390 SecurityServer (RACF) System Programmer's Guide.

OW26237 Enhancements of Global Access CheckingThis enhancement allows RACROUTE REQUEST=AUTH processing to use globalaccess checking for general resource classes regardless of whether or not theclass has been RACLISTed by either SETROPTS RACLIST or RACROUTEREQUEST=LIST. Authorization checking using RACROUTE REQUEST=AUTHsearches the global access checking table for a matching entry, ignoring profiles inthe class. If no global access checking table entry matches the search, or if theaccess specified in the entry is less than the access being requested, RACF thensearches for a matching profile in the class. With this release of OS/390 SecurityServer (RACF), this processing occurs regardless of whether or not the class isRACLISTed using SETROPTS RACLIST or RACROUTE REQUEST=LIST.


Chapter 3. Summary of Changes to RACF Components forOS/390 Release 4

This chapter summarizes the new and changed components of OS/390 Release 4Security Server (RACF). It includes the following summary charts for changes tothe RACF:

� Callable Services� Class descriptor table (CDT)

� Commands � Data Areas � Exits � Macros � Messages � Panels � SYS1.SAMPLIB � Publications Library

Callable ServicesFigure 1 lists a new callable service. This callable service is a PSPI attachmentinterface, which means that it is not intended for use in customer applicationprograms, but rather for use by other IBM components or vendor programs.

Figure 1. New Callable Services

CallableServiceName Description Support

R_admin The R_admin service enables applications tomanage RACF user profiles within the RACFdatabase.This service accepts either a functioncode-driven parameter list with data fieldsconsisting of name-value pairs or a preconstructedRACF TSO command to be executed. R_admindoes NOT include the following RACF commands:BLKUPD, RVARY, RACLINK. It also does NOTinclude RACF operator commands such asDISPLAY, RESTART, SET, SIGNOFF, STOP, andTARGET.

TME 10


Figure 2. Changed Callable Services

CallableServiceName Description Support

initUSP � If no OMVS segment is found in the user'sprofile, the initUSP service checks theBPX.DEFAULT.USER profile in the FACILITYclass. This profile may contain a user ID in itsapplication data field that provides a defaultOMVS segment. If this default is found, it isused to set the UID, HOME, and PROGRAMfor the user.

� If no OMVS segment is found in the groupprofile of the user's current connect group, theinitUSP service checks theBPX.DEFAULT.USER profile in the FACILITYclass. This profile may contain a group ID inthe application data field that provides a defaultOMVS segment. If this default is found, it isused to set the GID for the user.

� If any defaults are used by initUSP, a bit is setin the resulting USP to indicate that this is thedefault Open Edition security environment. Anyaudit records written by subsequent RACFcallable services reflect this.

DefaultUSER/GROUPOMVSSegment

getGMAP � If getGMAP is given a group ID as input andthe corresponding GROUP profile has noOMVS segment, getGMAP checks theBPX.DEFAULT.USER profile in the FACILITYclass. This profile may contain a group ID in itsapplication data field that provides a defaultOMVS segment. If this default is found, its GIDis returned to the issuer of getGMAP.


getUMAP � If getUMAP is given a user ID as input and thecorresponding USER profile has no OMVSsegment, getUMAP checks theBPX.DEFAULT.USER profile in the FACILITYclass. This profile may contain a user ID in itsapplication data field that provides a defaultOMVS segment. If this default is found, its UIDis returned to the issuer of getUMAP.


Class Descriptor Table (CDT)Figure 3 lists new classes provided in the IBM-supplied class descriptor table(ICHRRCDX). The class names are general-use programming interfaces (GUPI) forICHEINTY and RACROUTE. There is a set of entries corresponding to the newclasses added in the IBM-supplied router tables.


Figure 3. New Classes

Name Description Support

DSNADM DB2 administrative authority class DB2

GDSNBP Grouping class for buffer pool privileges DB2

GDSNCL Grouping class for collection privileges DB2

GDSNDB Grouping class for database privileges DB2

GDSNPK Grouping class for package privileges DB2

GDSNPN Grouping class for plan privileges DB2

GDSNSG Grouping class for storage group privileges DB2

GDSNSM Grouping class for system privileges DB2

GDSNTB Grouping class for table, index, or view privileges DB2

GDSNTS Grouping class for tablespace privileges DB2

MDSNBP Member class for buffer pool privileges DB2

MDSNCL Member class for collection privileges DB2

MDSNDB Member class for database privileges DB2

MDSNPK Member class for package privileges DB2

MDSNPN Member class for plan privileges DB2

MDSNSG Member class for storage group privileges DB2

MDSNSM Member class for system privileges DB2

MDSNTB Member class for table, index, or view privileges DB2

MDSNTS Member class for tablespace privileges DB2

TMEADMIN Maps the TME administrator's user ID and TivoliManagement Region (TMR) to a RACF user ID

TME 10

CommandsFigure 4 lists the changes to RACF commands for OS/390 Release 4.

For more information on these commands, see OS/390 Security Server (RACF)Command Language Reference.

Figure 4 (Page 1 of 3). Changes to RACF Commands

Command Description Support

ALTUSERPASSWORD

The ALTUSER command and the PASSWORDcommand are modified to save the old password inthe password history list,whether reset by the useror an administrator. For more information on theALTUSER and PASSWORD commands, seeOS/390 Security Server (RACF) CommandLanguage Reference.

PasswordHistoryEnhancements

Chapter 3. Summary of Changes to RACF Components for OS/390 Release 4 13



ALTUSER This command supports the removal of all of theuser's CLAUTH authorities by using NOCLAUTH(*).

For more information on the ALTUSER NOCLAUTHkeywords, see OS/390 Security Server (RACF)Command Language Reference.

TME 10

PERMIT The PERMIT command allows the keywordsWHEN(SYSID(system-identifier ...)). This specifiesthat the indicated users or groups have thespecified access authority when loading thiscontrolled program on the specified system.system-identifier is the 4-character value specifiedfor the system identifier (SID) parameter of theSMFPRMxx member of PARMLIB.WHEN(SYSID(system-identifier)) can be used onlyfor resources in the PROGRAM class. See OS/390MVS Initialization and Tuning Reference foradditional information on SMFPRMxx.

For more information on the PERMIT command,see OS/390 Security Server (RACF) CommandLanguage Reference.

Programcontrol bySYSID




TARGET The new keyword WDSQUAL is added to theRACF TARGET command to indicate that thevariable that follows will be used by RRSF as themiddle qualifier for the work space data set namesof the INMSG and OUTMSG queues for the localRRSF node defined by the TARGET command.WDSQUAL cannot be used for a remote node.

The format for the qualifier name isprefix.wdsqual.ds_identity. wdsqual can be from 1to 8 characters long beginning with an alphabeticcharacter. Initial numerals are not accepted. Theformation of the workspace data set names can bechanged until the data sets are allocated. Thisnormally occurs when a DORMANT or OPERATIVEkeyword is processed. After that keyword isprocessed, the data set names cannot be changed.

Concerning TARGET nodename OPERATIVEWDSQUAL(xxx) , RACF processes theOPERATIVE keyword after the WDQUAL keyword,even though the user specified them in the reverseorder. The keyword WDSQUAL works until RACFhas processed a TARGET command specifyingDORMANT or OPERATIVE for that node.

This enhancement allows operators to set one ormore work space data sets for local node names,which can be used when they are working withmultisystem RRSF nodes, especially in a sysplexenvironment.

If you have any TARGET commands in yourIRROPTxx RACF parameter library member thatspecify the WORKSPACE keyword abbreviated to aW, you need to increase the length of that keywordto at least WO so it is not mistaken for the newWDSQUAL keyword which is now represented asW.

If WDSQUAL is not specified, the previously usedformat for the data set names is used. This isprefix.sysname.INMSG andprefix.sysname.OUTMSG.

For more information on the TARGET command,see OS/390 Security Server (RACF) CommandLanguage Reference.

OW24966

Data AreasFigure 5 lists changed product-sensitive programming interface (PSPI) data areasfor RACF.


Figure 5. Changes to PSPI Data Areas

Data Area Description Support

AFC This data area maps the contents for the OpenEdition MVS security audit function codes. An auditfunction code has been added to audit whenck_priv is called from OpenEdition_spawn(BPX1SPN).

Auditability ofsuper userrequests.

COMP This data area maps the common SAF/RACFparameter list for Open Edition MVS securityfunctions. A new 24-byte DSECT ADMN has beenadded. It includes addresses of the function-specificparameter list structure, of the RACF user ID underwhose authority the service executes, of a fullwordcontaining the ACEE address under which thisservice executes, of a caller-supplied areacontaining the subpool in which output messagesare obtained, and of a fullword containing a pointerto the RACF command output.

TME 10 GEMuseradministrationfor OS/390

FAST FASTPLEN, FASTPVER, FASTALET, andFASTLOGS have been added.

DB2

FC This data area maps the Open Edition MVSsecurity function codes. A new constantIRRSEQ00# has been added for function code 39 -R_admin.

TME 10 GEMuseradministrationfor OS/390

RCVT The RACF level in this data area has been updatedto 2040, to reflect the new FMID, HRF2240.

New FMID

RFXP RFXPLEN, RFXPVERS, RFXALET, and RFXLOGShave been added.

DB2

SAFP This data area has been updated to reflect the newRACF FMID, HRF2240.

New FMID

ExitsBecause two new keywords, ACEEALET and LOGSTR, were added toRACROUTE REQUEST=FASTAUTH, there are changes to exit processing.

When the ACEEALET keyword is specified on the RACROUTEREQUEST=FASTAUTH macro, the ACEE must be accessed using the ALET in theRFXALET field of the RFXP parameter list. In all other cases, the ACEE can beaccessed in the current HOME address space. For cross-memory callers, thismeans the ACEE must be accessed using an ALET of 2.

When the ACEEALET= keyword is specified, the sequence of exit, authorization,and audit processing is the same as the sequence for cross-memory requests. Thissequence is:

� ICHRFX03

� Authorization processing

� ICHRFX04

� Audit processing


RFXALET and RFXLOGS correspond to new fields in the RACROUTEREQUEST=FASTAUTH parameter list. These fields only exist in parameter listscreated with RELEASE=2.4 or higher. Therefore, these fields must only beaccessed when the RFXPVERS indicates Release 2.4 or higher.

MacrosFigure 6 lists changes to executable macros for OS/390 Release 4. These are foryour information; there is no reason to modify any existing programs to specify thenew release level. These changes are general-use programming interfaces (GUPI).

Figure 6. Changed Executable Macros

Macro Description Support

ICHEACTNICHEINTYICHETEST

These macros accept the new RELEASE=2.4keyword.

New FMID

RACROUTE REQUEST=FASTAUTH allows the following to bespecified:

� LOGSTR=parameter

� Message suppression (MSGSUPP=YES)

� ACEEALET=alet_addr parameter

Authorizationsupport forDB2

MessagesThe messages that have been added or changed in RACF for OS/390 Release 4are listed below. Compare the message identifiers and the corresponding messagetext with any automated operations procedures your installation uses to determinewhether updates are required.

New MessagesThe following messages are added:

PERMIT Command Messages ICH06021I

RACF/DB2 External Security Module Messages: IRR900A, IRR901A, IRR902A,IRR903A, IRR904I, IRR905I, IRR906I, IRR907I, IRR908I, IRR909I, IRR910I,IRR911I

TARGET Command Messages: IRRM055I, IRRM056I

Changed MessagesThe following messages are changed:

RACF Initialization Messages: ICH502I, ICH506I, ICH518I, ICH556I

PERMIT Command Messages: ICH06018I

RDEFINE Command Messages: ICH10302I


RALTER Command Messages: ICH11304I

SETROPTS Command Messages: ICH14042I

RACF Manager Error Messages: ICH51011I

RACF Processing Messages: IRR410I

RACF Utility Messages: IRR67032I, IRR67034I, IRR67124I, IRR67153I,IRR67183I

RRSF Enveloping Messages: IRRV002I, IRRV005I, IRRV013I, IRRV014I

RACF Operational Modes and Coupling Facility Messages: IRRX013A

Deleted MessagesThe following messages have been deleted:

ICH401I, ICH402I, ICH403I, ICH404I, ICH405I, ICH406I, ICH407I, ICH410I,ICH413I, ICH536I, ICH543I, ICH547I, ICH548I, ICH61000I, ICH61001I, ICH61002I,ICH61003I, ICH61004I, ICH61006I, ICH61007I, ICH62001I, ICH62002I, ICH62003I,ICH62004I, ICH62007I, ICH62008I, ICH62009I, ICH62010I, ICH62012I, ICH62014I,ICH62015I, ICH62017I, ICH62018I, ICH62019I, ICH62021I, ICH62022I, ICH63001I,ICH63002I, ICH63003I, ICH63004I, ICH63005I, ICH63006I, ICH63007I, ICH63008I,ICH63009I, ICH63010I, ICH63011I, ICH63012I, ICH63013I, ICH63014I, ICH63015I,ICH63016I, ICH63017I, ICH63018I, ICH63019I, ICH63020I, ICH63021I, ICH63022I,ICH63023I, ICH63024I, ICH63025I, ICH63026I, ICH63027A, ICH65001I,ICH65002I, ICH65003I, ICH65004I, ICH65005I, ICH65006I, ICH65007I, ICH65008I,ICH65009I, ICH65010I, ICH65011I, ICH65012I, ICH65013I, ICH65014I, ICH65015I,ICH65016I, ICH65017I, ICH65018I, ICH65019I, ICH65020I, ICH65021I, ICH65022I,ICH65023I, ICH65024I, ICH65025I, ICH65026I, ICH8000, ICH8001, ICH8002,ICH8003, ICH8004, ICH8005, ICH8006, ICH8007, ICH8008, ICH8009, ICH8010,ICH8011, ICH8012, ICH8013, ICH8014, ICH8015, ICH8016, ICH10316I,ICH36001I, IRR67098I

PanelsFigure 7 lists new RACF panels. Figure 8 on page 19 lists RACF panels that arechanged.


Figure 7. New Panels for RACF

Panel Description Support

ICHP241n This panel enables you to add an entry for theconditional access list and to identify the accessauthority for it.

Program control by system ID

ICHP242n This panel enables you to remove an entry from theconditional access list and to identify the access listfrom which conditions are to be removed


ICHH241n This panel allows you to specify the system identifiers(SMFIDs) of the systems from which users may usethe resources protected by the profile. Each systemidentifier is a 4-characters string.


ICHH242n This panel allows you to specify the system identifiers(SMFIDs) of the systems to be removed from thespecified entries in the conditional access list. Eachsystem identifier is a 4-character string.


ICHnnnn This panel enables you to specify identifiers (SMFIDs)of the system from which users may use the resourcesthat are being protected. Each system identifier is a4-character string.


ICHHnnnn This panel enables you to specify identifiers (SMFIDs)of the system to be removed from the specified entriesin the conditional access list. Each system identifier isa 4-character string.


Figure 8. Changed Panels for RACF

Panel Description Support

ICHP241CICHP242AICHH241C

These panels contain changes needed to add or remove listentries related to conditional access lists.

Program control bysystem ID

SYS1.SAMPLIBFigure 9 identifies change to the RACF member of SYS1.SAMPLIB.

Figure 9. Change to SYS1.SAMPLIB

Member Description Support

IRR@XACS This member is shipped to provide asample RACF authorization checkexternal security module.

Authorization support for DB2


Publications LibraryFigure 10 lists changes to the OS/390 Security Server (RACF) publications library.

Note:

You are able to print the softcopy documentation, either in its entirety orsimply portions of it.

Figure 10. Changes to the RACF Publications Library

Publication Change

OS/390 Security Server (RACF) Callable Services This publication isavailable only insoftcopy.

OS/390 Security Server (RACF) Data Areas This is no longer alicensed publication.Its new form numberis SY27-2640-03.


Chapter 4. Planning Considerations

This chapter describes the following high-level planning considerations forcustomers upgrading to OS/390 Release 4 Security Server (RACF) from OS/390Release 3 Security Server (RACF):

� Migration strategy � Migration paths � Hardware requirements � Compatibility

Migration StrategyThe recommended steps for migrating to a new release of RACF are:

1. Become familiar with the release documentation.2. Develop a migration plan for your installation.3. Install the product using the program directory shipped with OS/390.4. Use the new release before initializing major new function.5. Customize the new function for your installation.6. Exercise the new function.

Migration Paths for OS/390 Release 4 Security Server (RACF)� From OS/390 Release 3 Security Server (RACF)

If you are an OS/390 Release 3 Security Server (RACF) customer, you canmigrate to OS/390 Release 4 Security Server (RACF) if you meet the OS/390release requirements.

� From OS/390 Release 2 Security Server (RACF)

If you are an OS/390 Release 2 Security Server (RACF) customer, you canmigrate to OS/390 Release 4 Security Server (RACF) if you meet the OS/390release requirements. You should also read OS/390 Security Server (RACFPlanning: Installation and Migration for Release 3.

� From OS/390 Release 1 Security Server (RACF) or RACF 2.2

If you are an OS/390 Release 1 Security Server (RACF) or RACF 2.2customer, you can migrate to OS/390 Release 4 Security Server (RACF) if youmeet the OS/390 release requirements. (OS/390 Release 1 Security Server(RACF) and RACF 2.2 are functionally equivalent.) In addition to this book, youshould read:

– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 2 (GC28-1920-01) and Release 3 (GC28-1920-02)

� From RACF 1.9.2 or RACF 2.1

If you are a RACF 1.9.2 or 2.1 customer, you can migrate to OS/390 Release 4Security Server (RACF) if you meet the OS/390 release requirements. If youhave RACF 2.1 installed, in addition to this book, you should read:

– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 2 (GC28-1920-01) and Release 3 (GC28-1920-02), and


– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1.(GC28-1920-00)

If you have RACF 1.9.2 installed, in addition to this book, you should read:

– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 2, (GC28-1920-01) and Release 3 (GC28-1920-02)

– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1(GC28-1920-00)

– RACF Planning: Installation and Migration for RACF 2.1 (GT00-9241-00)

� From RACF 1.9

If you are a RACF 1.9 customer, you can migrate to OS/390 Release 4Security Server (RACF) if you are running with the restructured database andmeet the OS/390 release requirements. If your database is not restructured,you must restructure it and perform appropriate testing of anyinstallation-supplied code that uses ICHEINTY or RACROUTEREQUEST=EXTRACT,TYPE=EXTRACT or TYPE=REPLACE before installingOS/390 Release 2 Security Server (RACF). In addition to this book, you shouldread:


– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1 (GC28-1920-00)

– RACF Migration and Planning for RACF 2.1(GT00-9241-00)

– RACF Migration and Planning for RACF 1.9.2(GC23-3045)

From RACF releases prior to 1.9

If you are on a RACF release prior to 1.9, you need to buy a conversionservice. These are available from IBM and possibly from other vendors. Inaddition to this book, you should read:


– OS/390 Security Server (RACF) Planning: Installation and Migration forOS/390 Release 1 (GC28-1910-00)

– RACF Planning: Installation and Migration for RACF 2.1 (GT00-9241-00)

– RACF Migration and Planning for RACF 1.9.2 (GC23-3054)

– RACF Migration and Planning for RACF 1.9 (GT00-5380-00)

Hardware RequirementsOS/390 Release 4 Security Server (RACF) does not require any specific hardwaresupport. It runs on all hardware supported by OS/390 Release 4. However, datasharing mode in the Parallel Sysplex requires a coupling facility configured forRACF's use.


CompatibilityThis section describes considerations for compatibility between OS/390 Release 4Security Server (RACF) and OS/390 Release 3 Security Server (RACF).

OpenEdition MVSIf you are an OpenEdition MVS user, be sure to review carefully the followinginformation on possible changes.

For Auditability of SuperusersIf you are not already auditing the PROCESS class, you need to decide whetheryou want to receive the audit records. If you do decide you wish to audit theOpenEdition spawn service, issue SETROPTS LOGOPTIONS(xxxx(PROCESS)) toobtain the SMF TYPE80 record ck_priv in order to audit superuser use. If you areauditing the PROCESS class, you do not need to issue that command.

You need to change any programs reporting from the unloaded data if you want thespawn audit information.

For Default USER/GROUP OpenEdition SegmentThe existing type 317 relocate section appears on any SMF TYPE80 recordswritten by the RACF callable services for users running with any defaultOpenEdition information.

You need to change any programs reporting from the unloaded data if you use thissupport.

Program Control by System IDIf users are already allowed access through the standard access list, they must beremoved from these lists so the conditional access list entry is used. In-storageprogram profiles must be refreshed with SETROPTS WHEN(PROGRAM)REFRESH to activate the updated PROGRAM profiles.

RELEASE=2.4 Keyword on MacrosYou should only specify RELEASE=2.4 and reassemble if you intend to use thenew keywords. If you use the new keywords, you need to run the program on anOS/390 Release 4 system to get the expected results.

Chapter 4. Planning Considerations 23

Chapter 5. Installation Considerations

This chapter describes the following changes of interest to the system programmerinstalling OS/390 Release 4 Security Server (RACF):

� Virtual storage considerations � Templates

RACF Storage ConsiderationsThis section discusses storage considerations for RACF.

Using the RACF DB2 external security module increases the number of profiles inthe RACF database. Therefore, if you plan to use the RACF DB2 external securitymodule, recalculate the amount of storage that is needed. If there is not enoughstorage, you should increase the size of the RACF database.

Virtual StorageFigure 11 estimates RACF virtual storage usage for planning purposes.

Figure 11 (Page 1 of 3). RACF Estimated Storage Usage

StorageSubpool Usage How to Estimate Size

FLPA RACF service routines, if IMS or CICSis using RACF for authorizationchecking

47 000

RACROUTE REQUEST=FASTAUTHand ICHRTX00 exits

Measure using AMBLIST

PLPA RACF installation exits that areAMODE(24) or AMODE(ANY)


RACF RMODE(24) code 750

RACF service routines, if IMS or CICSis not using RACF for authorizationchecking, unless explicitly removedfrom SYS1.LPALIB and placedelsewhere for use in FLPA

47 000

RACROUTE REQUEST=FASTAUTHand ICHRTX00 exits


RACF range table 4 + (number_of_ranges × 45)

EPLPA RACF installation exits that areAMODE(31)


RACF resident modules above 16MB 875 000

SQA RACF communications vector table andextension

2800

Class descriptor table (CNST) andRACF router table

7500 + 58 × number_of_customer_defined_classes




ESQA RACF data sharing control area 300 (when enabled for sysplex communication)

Class descriptor table (CNSX) (number_of_IBM-defined_classes × 28) +(number_of_IBM-defined_entries_in_router_table × 30) +(number_of_customer_defined_classes × 58) + 26

For Security Server (RACF), there are 145 IBM-definedclasses and 167 IBM-defined entries in the router table, sothe size of the CNSX is 9096 +(number_of_customer_defined_classes × 58). If you install aPTF that adds entries, you will need to recalculate thisnumber.

LSQA ACEE and related storage

Notes:

1. Applications can place this storagein a different subpool.

2. Applications can create multipleACEEs in this and other storagesubpools.

400 + installation_data_length +terminal_installation_data_length +application_installation_data + (52 for every 78 temporarydatasets, rounded up to the next multiple of 52)

If the address space has been dubbed an OpenEditionprocess, then add: 52 +(number_of_connected_groups_with_GIDs × 4)

Add 112 bytes if the user has CLAUTH for a class with aPOSIT value over 127.

ELSQA Connect group table 64 + (48 × number_of_groups_connected)

In-storage generic profiles 160 + number_of_generic_profiles × (14 +average_profile_size + average_profile_name_length)

RACF storage tracking table 3500

RACROUTE REQUEST=LIST profiles

Note: Applications can place theseprofiles in a different storagesubpool.

2108 + (number_of_profiles_in_class × 16) +(number_of_unique_generic_profile_prefix_lengths × 24) +(number_of_generic_profiles × 4) +(number_of_resident_profiles × (10 + average_profile_size +(1.5 × class_max_profile_name_size))) for each class ifGLOBAL=YES is not specified

CSA RACF global access tables 3040 + (number_of_user_classes × 24) + 2 × (18 +number_of_entries × (6 + (1.5 × max_profile_name_size)))

RACF database control structures(DCB, DEB, templates)

4600 + (number_of_BAM_blocks × 6) + (364 xnumber_of_RACF_primary_data_sets)

RACF subsystem control blocks 3500




ECSA RACF data set descriptor table andextension

168 + (896 × number_of_RACF_primary_data_sets)

RACF ICB (non-shared DB) 4096 per RACF database if the database is not shared and isnot on a device marked as shared, 0 otherwise

| RACF program control table| 28 + (number_of_program_profiles ×| average_program_profile_size) +| (number_of_controlled_libraries × 50)

| To find the average_program_profile_size, use the following| formula:

| 54 + (average_number_of_access _entries × 9) +| (average_number_of _conditional_access_entries × 17) +| (average_number_of_libraries × 52)

RACF resident data blocks For each primary RACF database: 3248 + (4136 ×number_of_database_buffers) If using sysplexcommunication, for each backup database add: 3248 + (4136× number_of_database_buffers × 2)

Dynamic parse tables 30 000

SETROPTS GENLIST profiles 52 + (number_of_profiles_in_class × 16) +(number_of_resident_profiles × (10 + average_profile_size +(1.5 × class_max_profile_name_size)))

User privateBelow 16MB

RACF transient storage 16 000 (minimum) while a RACF service is executing

Templates for RACF on OS/390 Release 4The RACF database must have templates at the Security Server (RACF) Release 4level in order for RACF to function properly. If a Security Server (RACF) Release 4system is sharing the database with a lower-level system (RACF 1.9, RACF 1.9.2,RACF 1.10, RACF 2.1, RACF 2.2, Security Server (RACF) Release 1, SecurityServer (RACF) Release 2, or Security Server (RACF) Release 3), the lower-levelsystem is able to use the database with the Security Server (RACF) Release 4templates. Use the IRRMIN00 utility to install the templates.

For more information, see OS/390 Security Server (RACF) System Programmer'sGuide and the program directory shipped with OS/390.

Chapter 5. Installation Considerations 27

Chapter 6. Customization Considerations

This chapter identifies customization considerations for OS/390 Release 4 SecurityServer (RACF).

For additional information, see OS/390 Security Server (RACF) SystemProgrammer's Guide.

Customer Additions to the Router Table and the CDTInstallations must verify that classes they have added to the router table and classdescriptor table (CDT) do not conflict with new classes shipped with RACF. Ifduplicate table entries are detected, the following error messages are issued at IPLtime:

� For a duplicate router table entry, RACF issues this message and continuesprocessing: ICH527I RACF DETECTED AN ERROR IN THE INSTALLATION ROUTERTABLE, ENTRY class_name, ERROR CODE 1.

� For a duplicate CDT entry, RACF issues this message and enters failsoft mode:ICH564A RACF DETECTED AN ERROR IN THE INSTALLATION CLASS DESCRIPTORTABLE, ENTRY class_name, ERROR CODE 7.

If a conflict in class names occurs, you must delete the profiles in theinstallation-defined class with the conflicting name, delete the CDT entry for theclass, add a CDT entry with a different name, and redefine the profiles.

Do not assemble the user-defined CDT (ICHRRCDE) on OS/390 Release 4 andattempt to use it on a system running RACF at a lower level than RACF Version 2Release 2.

RACF/DB2 External Security Module CustomizationIf you have both this release of RACF and Version 5 of DB2, you can use RACF toprotect DB2 objects. Migrating to this can be done one object at a time. Forexample, all DB2 tables can be protected by RACF while other DB2 objects are notRACF-protected. If an object is not protected by RACF, the RACF/DB2 externalsecurity module defers to DB2 for authority checking.

The following is an overview of the steps involved in customizing RACF/DB2external security module. For details, see OS/390 Security Server (RACF) SystemProgrammer's Guide and OS/390 Security Server (RACF) Security Administrator'sGuide

� Concerned staff members, such as the security administrator, systemprogrammer, DB2 system programmer, and database administrator, need todecide whether to use the RACF/DB2 external security module.

� Staff members need to decide which of the options (such as class and profilename options) offered by the RACF/DB2 external security module they plan touse. This can be as simple as using the defaults, which is recommended. If thedefaults are used, no new classes are needed.


� Set the options in the RACF/DB2 external security module. To do this, seeOS/390 Security Server (RACF) System Programmer's Guide.

� Decide which DB2 objects are to be protected using RACF. Define theappropriate profiles. To do this, see OS/390 Security Server (RACF) SecurityAdministrator's Guide.

� Activate the RACF/DB2 external security module. This includes assembling andlinkediting the RACF/DB2 external security module. In addition confirm that it isin the appropriate library. To do this, see DB2 for OS/390 Version 5Administration Guide Volume 2, SC26-8957, and DB2 for OS/390 Version 5Installation Guide, GC26-8970.

� Restart the DB2 subsystem.

Exit ProcessingThe following changes affect FASTAUTH exits. Four fields have been added to theRFXP data area and four to the FAST data area.

Four fields are added to the RFXP data area. These are two 1-byte fields,RFXPLEN and RFXPVERS. RFXPLEN contains the parameter list length, andRFXPVERS contains the parameter list version. There are also two new 4-bytefields, RFXALET and RFXLOGS, which exist only when RFXPVERS contains avalue of 1 or higher.

Four fields are also added to the FAST data area. These are two 1-byte fields,FASTPLEN and FASTPVER. FASTPLEN contains the parameter list length, andFASTPVER contains the parameter list version. There are also two new 4-bytefields, FASTALET and FASTLOGS, which exist only when FASTPVER contains avalue of 1 or higher.


Chapter 7. Administration Considerations

This chapter summarizes the changes to administration procedures that the securityadministrator should be aware of. For more information, see OS/390 SecurityServer (RACF) Security Administrator's Guide.

The TMEADMIN ClassThe new TMEADMIN class is used to associate a TME administrator with a RACFMVS identity on any MVS system that is part of a Tivoli management region (TMR).The TMEADMIN class contains a profile for each TME administrator who is able toperform RACF user management tasks. The name of this profile is the TMEadministrator string name. For example:

admin-login-name@TME-region-name

The hex code for @ is x'7C'. You need to use the key on your keyboard thatprovides that hex value. Sharing of a single RACF user ID by multiple TMEadministrators is not recommended. It is preferable that each TME administrator IDmap to a unique RACF user ID.

In the following example, the TME administrator root in the Tivoli TMR region ofpok01 would have a RACF user ID of CSMITH. The APPLDATA field of this profilecontains the RACF MVS userid. Only a RACF administrator with SPECIAL authoritycan issue this command:

RDEFINE TMEADMIN root@pokð1 APPLDATA('CSMITH')

For more information on the TMEADMIN class, see “Tivoli ManagementEnvironment (TME) 10 Global Enterprise Management User Administration Service”on page 8.

Password History ChangesWhen an administrator resets a password for a user, the old password is saved inthe password history list. This is done with the use of one of the followingcommands:

ALTUSER (userid ...) PASSWORDALTUSER (userid ...) PASSWORD(password)PASSWORD USER(userid ...)

For more information, see “Password History Enhancements” on page 7.

Program Control by System IDProgram control by system ID limits a user's access to a particular program to aspecified system. It improves system management and usability of programproducts in the sysplex environment. In addition, it eliminates error-prone manualprocedures, eliminates the need to keep DASD that is not shared, and eliminatesthe possibility of license exposures.


Enhancements of Global Access CheckingWhen you use RACROUTE REQUEST=AUTH processing (which utilizes globalaccess checking) for general resource classes, these classes can be processedwhether or not the class is RACLISTed using SETROPTS RACLIST orRACROUTE REQUEST=LIST.


Chapter 8. Auditing Considerations

This section summarizes the changes to auditing procedures for SMF records.

SMF RecordsFigure 12 summarizes changes to SMF records created by RACF for OS/390Release 4. These changes are general-use programming interfaces (GUPI).

For more information on SMF records, see OS/390 Security Server (RACF) Macrosand Interfaces.

The RACF/DB2 external security module can be used to protect DB2 objects usingRACF profiles. If your installation chooses to use this function, RACF SMF Type 80records can be used to audit access attempts to DB2 data and resources. For moreinformation on auditing for the RACF/DB2 external security module, see OS/390Security Server (RACF) Auditor's Guide.

Figure 12. Changes to SMF Records

RecordType

RecordField Description of Change Support

80 SMF80DTA When program control through systemID is operating, a new bit is defined inan existing relocate section for SMFTYPE80 records written by thePERMIT command. The relocatesection is data type 39 (X'27'), and thenew bit indicates that the conditionalentity type is SYSID.

Program controlthrough systemID

80 SMF80DA2 This record with a ck_priv event codeis written when an authorization checkis done for a superuser. The recordcontains the audit function code toindicate that the ck_priv callableservice was called from spawn(IRRSPK00).

OpenEditionauditing ofsuperuser use


Chapter 9. Application Development Considerations

Application development is the process of planning, designing, and codingapplication programs that invoke RACF functions. This section highlights newsupport that might affect application development procedures:

� Programming interfaces� RELEASE=2.4 keyword on macros� Changes to RACROUTE REQUEST=FASTAUTH

Programming InterfacesFor a summary of changes to the programming interfaces for RACF for OS/390Release 4, see:

� “Class Descriptor Table (CDT)” on page 12

� “Data Areas” on page 15

� Figure 6 on page 17

RELEASE=2.4 Keyword on MacrosThe RACROUTE, ICHEINTY, ICHEACTN, and ICHETEST macros support thevalue 2.4 on the RELEASE keyword, although they do not support new keywordsthat would require RELEASE=2.4 to be specified. Customers are not required toupdate existing programs to specify RELEASE=2.4. You should only use theRELEASE=2.4 keyword if you are using new keywords.

FASTAUTH ChangesChanges in this release allow:

� LOGSTR= parameter to be specified on the RACROUTEREQUEST=FASTAUTH macro

� Message suppression (MSGSUPP=YES) to be specified on the RACROUTEREQUEST=FASTAUTH macro

� ACEEALET=alet_addr parameter on RACROUTE REQUEST=FASTAUTH tospecify ALET value of any address space where an ACEE resides


Chapter 10. General User Considerations

RACF general users use RACF to:

� Log on to the system

� Access resources on the system

� Protect their own resources and any group resources to which they haveadministrative authority

For more information on the output general users might receive, see OS/390Security Server (RACF) General User's Guide.

Password History ChangesEnd users are no longer able to keep their favorite password by pretending theyhave forgotten it and getting a security administrator or help desk person to reset itto a temporary value for them. RACF saves the old (favorite) password in thehistory list, making it unusable.


Glossary

Aaccess . The ability to obtain the use of a protectedresource.

access authority . An authority related to a request fora type of access to protected resources. In RACF, theaccess authorities are NONE, EXECUTE, READ,UPDATE, CONTROL, and ALTER.

accessor environment element (ACEE) . Adescription of the current user, including user ID,current connect group, user attributes, and groupauthorities. An ACEE is constructed during useridentification and verification.

ACEE. See accessor environment element.

appropriate privileges . In the OpenEdition MVSimplementation, superuser authority. A trusted orprivileged attribute is an attribute associated with astarted procedure address space and with any processassociated with the address space.

AUDIT request . The issuing of the RACROUTE macrowith REQUEST=AUDIT specified. An AUDIT request isa general-purpose security-audit request that can beused to audit a specified resource name and action.

AUTH request . The issuing of the RACROUTE macrowith REQUEST=AUTH specified. The primary functionof an AUTH request is to check a user's authorization toa RACF-protected resource or function. The AUTHrequest replaces the RACHECK function. See alsoauthorization checking.

authority . The right to access objects, resources, orfunctions. See access authority, class authority, andgroup authority.

authorization checking . The action of determiningwhether a user is permitted access to a protectedresource. RACF performs authorization checking as aresult of a RACROUTE REQUEST=AUTH orRACROUTE REQUEST=FASTAUTH.

automatic command direction . An extension ofcommand direction that causes RACF to automaticallydirect certain commands to one or more remote nodesafter running the commands on the issuing node.Commands can be automatically directed based on whoissued the command, the command name, or the profileclass related to the command. Profiles in theRRSFDATA class control to which nodes commandsare automatically directed. See also automaticpassword direction, automatic command direction,

automatic direction of application updates, andcommand direction.

automatic direction . An RRSF function thatautomatically directs commands, ICHEINTY andRACROUTE macros, and password-related updates toone or more remote systems. See also automaticcommand direction, automatic password direction, andautomatic direction of application updates.

automatic direction of application updates . AnRRSF function that automatically directs ICHEINTY andRACROUTE macros that update the RACF database toone or more remote systems. Profiles in theRRSFDATA class control which macros areautomatically directed, and to which nodes. See alsoautomatic direction, automatic command direction, andautomatic password direction.

automatic password direction . An extension ofpassword synchronization and automatic commanddirection that causes RACF to automatically change thepassword for a user ID on one or more remote nodesafter the password for that user ID is changed on thelocal node. Profiles in the RRSFDATA class control forwhich users and nodes passwords are automaticallydirected. See also password synchronization, automaticcommand direction, automatic direction of applicationupdates, and automatic direction.

Ccache structure . A coupling facility structure thatcontains data accessed by systems in a sysplex. MVSprovides a way for multiple systems to determine thevalidity of copies of the cache structure data in theirlocal storage.

callable service . In OpenEdition MVS, a request byan active process for a service. Synonymous withsyscall, system call.

CDT. See class descriptor table.

class . A collection of RACF-defined entities (users,groups, and resources) with similar characteristics. Theclass names are USER, GROUP, DATASET, and theclasses that are defined in the class descriptor table.

class authority (CLAUTH) . An authority enabling auser to define RACF profiles in a class defined in theclass descriptor table. A user can have class authoritiesto one or more classes.

class descriptor table (CDT) . A table consisting of anentry for each class except the USER, GROUP, and


DATASET classes. The table is generated by executingthe ICHERCDE macro once for each class. The classdescriptor table contains both the IBM provided classesand also the installation defined classes.

CLAUTH . See class authority.

command direction . A RRSF function that allows auser to issue a command from one user ID and directthat command to run under the authority of a differentuser ID on the same or a different RRSF node. Beforea command can be directed from one user ID toanother, a user ID association must be defined betweenthem via the RACLINK command.

command interpreter . A program that reads thecommands that you type in and then executes them.When you are typing commands into the computer, youare actually typing input to the command interpreter.The interpreter then decides how to perform thecommands that you have typed. The shell is anexample of a command interpreter. Synonymous withcommand language interpreter. See also shell.

command language interpreter . Synonym forcommand interpreter.

coupling facility . The hardware element that provideshigh-speed caching, list processing, and lockingfunctions in a sysplex.

DData Facility Product (DFP) . A program that isolatesapplications from storage devices, storagemanagement, and storage device hierarchymanagement.

data security . The protection of data fromunauthorized disclosure, modification, or destruction,whether accidental or intentional.

data security monitor (DSMON) . A RACF auditingtool that produces reports enabling an installation toverify its basic system integrity and data-securitycontrols.

data set profile . A profile that provides RACFprotection for one or more data sets. The information inthe profile can include the data-set profile name, profileowner, universal access authority, access list, and otherdata. See discrete profile and generic profile.

data sharing mode . An operational RACF mode thatis available when RACF is enabled for sysplexcommunication. Data sharing mode uses global

resource serialization protocol that allows concurrentRACF instances to directly access and change thesame database while maintaining data integrity asalways. Data sharing mode requires installation ofcoupling facility hardware.

default group . In RACF, the group specified in a userprofile that is the default current connect group.

DEFINE request . The issuing of the RACROUTEmacro with REQUEST=DEFINE specified. Also, using aRACF command to add or delete a resource profilecauses a DEFINE request. The DEFINE requestreplaces the RACDEF function.

DFP. See Data Facility Product.

DFP segment . The portion of a RACF profilecontaining information relating to the users andresources that are managed by the data facility product(DFP).

DIRAUTH request . The issuing of the RACROUTEmacro with REQUEST=DIRAUTH specified. ADIRAUTH request works on behalf of themessage-transmission managers to ensure that thereceiver of a message meets security-labelauthorization requirements.

directed command . A RACF command that is issuedfrom a user ID on an RRSF node. It runs in the RACFsubsystem address space on the same or a differentRRSF node under the authority of the same or adifferent user ID. A directed command is one thatspecifies AT or ONLYAT. See also command directionand automatic command direction.

directory . (1) A type of file containing the names andcontrolling information for other files or other directories.(2) A construct for organizing computer files. As filesare analogous to folders that hold information, adirectory is analogous to a drawer that can hold anumber of folders. Directories can also containsubdirectories, which can contain subdirectories of theirown. (3) A file that contains directory entries. No twodirectory entries in the same directory can have thesame name. (4) A file that points to files and to otherdirectories. (5) An index used by a control program tolocate blocks of data that are stored in separate areasof a data set in direct access storage.

discrete profile . A resource profile that can provideRACF protection for only a single resource. Forexample, a discrete profile can protect only a singledata set or minidisk.

DSMON. See data security monitor.


Eentity . A user, group, or resource (for example, aDASD data set) that is defined to RACF.

EXTRACT request . The issuing of the RACROUTEmacro with REQUEST=EXTRACT specified. AnEXTRACT request retrieves or replaces certainspecified fields from a RACF profile or encodes certainclear-text (readable) data. The EXTRACT requestreplaces the RACXTRT function.

FFASTAUTH request . The issuing of the RACROUTEmacro with REQUEST=FASTAUTH specified. Theprimary function of a FASTAUTH request is to check auser's authorization to a RACF-protected resource orfunction. A FASTAUTH request uses only in-storageprofiles for faster performance. The FASTAUTH requestreplaces the FRACHECK function. See alsoauthorization checking.

Ggeneral resource . Any system resource, other than anMVS data set, that is defined in the class descriptortable (CDT). General resources are DASD volumes,tape volumes, load modules, terminals, IMS and CICStransactions, and installation-defined resource classes.

general resource profile . A profile that providesRACF protection for one or more general resources.The information in the profile can include the generalresource profile name, profile owner, universal accessauthority, access list, and other data.

general-use programming interface (GUPI) . Aninterface that IBM makes available for use incustomer-written programs with few restrictions and thatdoes not require knowledge of the detailed design orimplementation of the IBM software product. See alsoproduct-sensitive programming interface (PSPI).

generic profile . A resource profile that can provideRACF protection for one or more resources. Theresources protected by a generic profile have similarnames and identical security requirements. Forexample, a generic data-set profile can protect one ormore data sets.

GID. See group identifier.

group . A collection of RACF-defined users who canshare access authorities for protected resources.

group authority . An authority specifying whichfunctions a user can perform in a group. The groupauthorities are USE, CREATE, CONNECT, and JOIN.

group identifier (GID) . (1) In OpenEdition MVS, aunique number assigned to a group of related users.The GID can often be substituted in commands thattake a group name as an argument. (2) Anon-negative integer, which can be contained in anobject of type gid_t, that is used to identify a group ofsystem users. Each system user is a member of atleast one group. When the identity of a group isassociated with a process, a group ID value is referredto as a real group ID, an effective group ID, one of the(optional) supplementary group IDs, or an (optional)saved set-group-ID.

group profile . A profile that defines a group. Theinformation in the profile includes the group name,profile owner, and users in the group.

GUPI. See general-use programming interface.

HHFS. See hierarchical file system.

hierarchical file system (HFS) . Information isorganized in a tree-like structure of directories. Eachdirectory can contain files or other directories.

IICB. See inventory control block.

inventory control block (ICB) . The first block in aRACF database. The ICB contains a general descriptionof the database.

Kkernel . (1) In OpenEdition MVS, the part of anoperating system that contains programs for such tasksas I/O, management, and control of hardware and thescheduling of user tasks. (2) The part of the systemthat is an interface with the hardware and providesservices for other system layers such as system calls,file system support, and device drivers. (3) The part ofan operating system that performs basic functions suchas allocating hardware resources. (4) A program thatcan run under different operating system environments.See also shell. (5) A part of a program that must be incentral storage in order to load other parts of theprogram.

Glossary 41

LLIST request . The issuing of the RACROUTE macrowith REQUEST=LIST specified. A LIST request buildsin-storage profiles for RACF-defined resources. TheLIST request replaces the RACLIST function.

local logical unit (LU) . Local LUs are LUs defined tothe MVS system; partner LUs are defined to remotesystems. It is a matter of point of view. From the pointof view of a remote system, LUs defined to that systemare local LUs, and those on MVS are the partner LUs.

A partner LU might or might not be on the same systemas the local LU. When both LUs are on the samesystem, the LU through which communication is initiatedis the local LU, and the LU through whichcommunication is received is the partner LU.

local node . The RRSF node from whose point of viewyou are talking. For example, if MVSA and MVSB aretwo RRSF nodes that are logically connected, fromMVSA's point of view MVSA is the local node, and fromMVSB's point of view MVSB is the local node. See alsoremote node.

logical unit . A port providing formatting, statesynchronization, and other high-level services throughwhich an end user communicates with another end userover an SNA network.

LU. See logical unit.

Mmain system . The system on a multisystem RRSFnode that is designated to receive most of the RRSFcommunications sent to the node.

member system . Any one of the MVS system imagesin a multisystem RRSF node.

multisystem node . See multisystem RRSF node

multisystem RRSF node . An RRSF node consistingof multiple MVS system images that share the sameRACF database. One of the systems is designated tobe the main system, and it receives most of the RRSFcommunications sent to the node.

MVS. Multiple virtual storage. Implies MVS/370,MVS/XA, and MVS/ESA.

NNetView segment . The portion of a RACF profilecontaining NetView logon information.

node . See RRSF node.

OOVM segment . The portion of a RACF profilecontaining OVM logon information.

owner . The user or group who creates a profile or isnamed the owner of a profile. The owner can modify,list, or delete the profile.

Ppartner logical unit (partner LU) . Partner LUs areLUs defined to remote systems; LUs defined to theMVS system are local LUs. It is a matter of a point ofview. From the point of view of the remote system, LUsdefined to that system are local LUs, and the ones onMVS are the partner LUs.

A partner LU might or might not be on the same systemas the local LU. When both LUs are on the samesystem, the LU through which communication is initiatedis the local LU, and the LU through whichcommunication is received is the partner LU.

PassTicket . An alternative to the RACF password thatpermits workstations and client machines tocommunicate with the host. It allows a user to gainaccess to the host system without sending the RACFpassword across the network.

password . In computer security, a string of charactersknown to the computer system and a user who mustspecify it to gain full or limited access to a system andto the data stored within it. In RACF, the password isused to verify the identity of the user.

password synchronization . An option which can bespecified when a peer user ID association is definedbetween two user IDs. If password synchronization isspecified for a user ID association, then whenever thepassword for one of the associated user IDs ischanged, the password for the other user ID isautomatically changed to the newly defined password.See also automatic password direction.

permission bits . In OpenEdition MVS, part of securitycontrols for directories and files stored in thehierarchical file system (HFS). Used to grant read, write,search (just directory), or execute (just file) access toowner, owner's group, or all others.


posit . A number specified for each class in the classdescriptor table that identifies a set of flags that controlRACF processing options. See the keyword descriptionfor posit in OS/390 Security Server (RACF) Macros andInterfaces.

process . (1) A function being performed or waiting tobe performed. (2) An executing function, or one waitingto execute. (3) A function, created by a fork() request,with three logical sections:

� Text, which is the function's instructions� Data, which the instructions use but do not change� Stack, which is a push-down, pop-up save area of

the dynamic data that the function operates upon

The three types of processes are:

� User processes, which are associated with a user ata workstation

� Daemon processes, which do systemwide functionsin user mode, such as printer spooling

� Kernel processes, which do systemwide functions inkernel mode, such as paging

A process can run in an OpenEdition user addressspace, an OpenEdition forked address space, or anOpenEdition kernel address space. In an MVS system,a process is handled like a task. See also task. (4) Anaddress space and one or more threads of control thatexecute within that address space and their requiredsystem resources. (5) An address space and singlethread of control that executes within that addressspace and its required system resources. A process iscreated by another process issuing the fork() function.The process that issues fork() is known as the parentprocess, and the new process created by the fork() isknown as the child process. (6) A sequence of actionsrequired to produce a desired result. (7) An entityreceiving a portion of the processor's time for executinga program. (8) An activity within the system that isstarted by a command, a shell program, or anotherprocess. Any running program is a process. (9) Aunique, finite course of events defined by its purpose orby its effect, achieved under given conditions. (10) Anyoperation or combination of operations on data.(11) The current state of a program that isrunning—including a memory image, the program data,the variables used, the general register values, thestatus of opened files used, and the current directory.Programs running in a process must be either operatingsystem programs or user programs. (12) A runningprogram including the memory occupied, the open files,the environment, and other attributes specific to arunning program.

product-sensitive programming interface (PSPI) . Aprogramming interface intended to be used only forspecialized tasks such as: diagnosis, modification,monitoring, repairing, tailoring, and tuning of the IBMsoftware product and that depends on or requires thecustomer to understand significant aspects of the

design and implementation of the IBM software product.See also general-use programming interface (GUPI).

profile . Data that describes the significantcharacteristics of a user, a group of users, or one ormore computer resources. See also data set profile,discrete profile, general resource profile, generic profile,group profile, and user profile.

program access to data sets (PADS) . A RACFfunction that enables an authorized user or group ofusers to access one or more data sets at a specifiedaccess authority only while running a specifiedRACF-controlled program. See also program control.

program control . A RACF function that enables aninstallation to control who can run RACF-controlledprograms. See also program access to data sets.

PSPI. See product-sensitive programming interface.

RRACF. See Resource Access Control Facility.

RACF database . A collection of interrelated orindependent data items stored together withoutunnecessary redundancy to serve Resource AccessControl Facility (RACF).

RACF remote sharing facility (RRSF) . RACFservices that function within the RACF subsystemaddress space to provide network capabilities to RACF.

RACF remove ID utility . A RACF utility whichidentifies references to user IDs and group IDs in theRACF database. The utility can be used to findreferences to residual user IDs and group IDs orspecified user IDs and group IDs. The output from thisutility is a set of RACF commands that can be used toremove the references from the RACF database afterreview and possible modification by the customer.

RACF report writer . A RACF function that producesreports on system use and resource use frominformation found in the RACF SMF records.

RACF SMF data unload utility . A RACF utility thatenables installations to create a sequential file from thesecurity relevant audit data. The sequential file can beused in several ways: viewed directly, used as input forinstallation-written programs, and manipulated withsort/merge utilities. It can also be uploaded to adatabase manager (for example, DB2) to processcomplex inquiries and create installation-tailored reports.

RACF-protected . Pertaining to a resource that haseither a discrete profile, an applicable generic profile, ora file or directory that doesn't have a profile, but isprotected with the File Security Packet (FSP). A data

Glossary 43

set that is RACF-protected by a discrete profile mustalso be RACF-indicated.

RACROUTE macro . An assembler macro thatprovides a means of calling RACF to provide securityfunctions. See also AUDIT request, AUTH request,DEFINE request, DIRAUTH request, EXTRACT request,FASTAUTH request, LIST request, SIGNON request,STAT request, TOKENBLD request, TOKENMAPrequest, TOKENXTR request, VERIFY request, andVERIFYX request.

remote logical unit (remote LU) . See partner logicalunit (partner LU). These two terms are interchangeable.

remote node . An RRSF node that is logicallyconnected to a node from whose point of view you aretalking. For example, if MVSX and MVSY are two RRSFnodes that are logically connected, from MVSX's pointof view MVSY is a remote node, and from MVSY's pointof view MVSX is a remote node. See also local node,target node.

Resource Access Control Facility (RACF) . AnIBM-licensed product that provides for access control byidentifying and verifying users to the system, authorizingaccess to protected resources, logging detectedunauthorized attempts to enter the system, and loggingdetected accesses to protected resources.

resource profile . A profile that provides RACFprotection for one or more resources. User, group, andconnect profiles are not resource profiles. Theinformation in a resource profile can include the dataset profile name, profile owner, universal accessauthority, access list, and other data. Resource profilescan be discrete profiles or generic profiles. See discreteprofile and generic profile.

root . (1) The starting point of the file system. (2) Thefirst directory in the system. (3) See appropriateprivileges.

RRSF. See RACF remote sharing facility.

RRSF logical node connection . Two RRSF nodesare logically connected when they are properlyconfigured to communicate via APPC/MVS, and eachhas been configured via the TARGET command to havean OPERATIVE connection to the other.

RRSF network . Two or more RRSF nodes that haveestablished RRSF logical node connections to eachother.

RRSF node . One or more MVS system images withMVS/ESA 4.3 or later installed, RACF 2.2 installed, andthe RACF subsystem address space active. See alsoRRSF logical node connection.

SSAF. System authorization facility.

security . See data security.

security classification . The use of securitycategories, a security level, or both, to imposeadditional access controls on sensitive resources. Analternative way to provide security classifications is touse security labels.

SFS. Shared file system

shared file system (SFS) . A part of CMS that letsusers organize their files into groups known asdirectories and selectively share those files anddirectories with other users.

shell . (1) In OpenEdition MVS, a program thatinterprets and processes interactive commands from apseudoterminal or from lines in a shell script. (2) Aprogram that interprets sequences of text input ascommands. It may operate on an input stream, or itmay interactively prompt and read commands from aterminal. Synonymous with command languageinterpreter. (3) A software interface between a userand the operating system of a computer. Shellprograms interpret commands and user interactions ondevices such as keyboards, pointing devices andtouch-sensitive screens and communicate them to theoperating system. (4) The command interpreter thatprovides a user interface to the operating system andits commands. (5) The program that reads a user'scommands and executes them. (6) The shell commandlanguage interpreter, a specific instance of a shell.(7) A layer, above the kernel, that provides a flexibleinterface between users and the rest of the system.(8) Software that allows a kernel program to run underdifferent operating system environments.

SIGNON request . The issuing of the RACROUTEmacro with REQUEST=SIGNON specified. A SIGNONrequest is used to provide management of thesigned-on lists associated with persistent verification(PV), a feature of the APPC architecture of LU 6.2.

single-system RRSF node . An RRSF node consistingof one MVS system image.

SMF records . See RACF SMF data unload utility.

STAT request . The issuing of the RACROUTE macrowith REQUEST=STAT specified. A STAT requestdetermines if RACF is active and, optionally, whether agiven resource class is defined to RACF and active.The STAT request replaces the RACSTAT function.

structure . See cache structure.


supervisor . The part of a control program thatcoordinates the use of resources and maintains the flowof processing unit operations. Synonym for supervisoryroutine.

supervisory routine . A routine, usually part of anoperating system, that controls the execution of otherroutines and regulates the flow of work in a dataprocessing system. Synonymous with supervisor.

syscall . In OpenEdition MVS, deprecated term forcallable service.

sysplex . A set of MVS systems communicating andcooperating with each other through multisystemhardware elements and software services to processcustomer workloads.

sysplex communication . An optional RACF functionthat allows the system to use XCF services andcommunicate with other systems that are also enabledfor sysplex communication.

system authorization facility (SAF) . An MVScomponent that provides a central point of control forsecurity decisions. It either processes requests directlyor works with RACF or another security product toprocess them.

system call . In OpenEdition MVS, synonym forcallable service.

Ttarget node . An RRSF node that a given RRSF nodeis logically connected to as a result of a TARGETcommand. The local node is a target node of itself, andall of its remote nodes are target nodes. See also localnode, remote node.

task . (1) A basic unit of work to be accomplished by acomputer. The task is usually specified to a controlprogram in a multiprogramming or multiprocessingenvironment. (2) A basic unit of work to be performed.Some examples include a user task, a server task, anda processor task. (3) A process and the proceduresthat run the process. (4) In a multiprogramming ormultiprocessing environment, one or more sequences ofinstructions treated by a control program as an elementof work to be accomplished by a computer. (5) Thebasic unit of work for the MVS system.

TOKENBLD request . The issuing of the RACROUTEmacro with REQUEST=TOKENBLD specified. ATOKENBLD request builds a UTOKEN.

TOKENMAP request . The issuing of the RACROUTEmacro with REQUEST=TOKENMAP specified. ATOKENMAP request maps a token in either internal or

external format, allowing a caller to access individualfields within the UTOKEN.

TOKENXTR request . The issuing of the RACROUTEmacro with REQUEST=TOKENXTR specified. ATOKENXTR request extracts a UTOKEN from thecurrent address space, task, or a caller-specified ACEE.

transaction program (TP) . A program used forcooperative transaction processing within an SNAnetwork. For APPC/MVS, any program on MVS thatissues APPC/MVS or CPI Communication calls, or isscheduled by the APPC/MVS transaction scheduler.

TSO segment . The portion of a RACF profilecontaining TSO logon information.

UUACC. See universal access authority.

UID. See user identifier.

universal access authority (UACC) . The defaultaccess authority that applies to a resource if the user orgroup is not specifically permitted access to theresource. The universal access authority can be any ofthe access authorities.

user . A person who requires the services of acomputing system.

user ID . A string of characters that uniquely identifiesa user to a system. A user ID is 1 to 8 alphanumericcharacters. On TSO, user IDs cannot exceed 7characters and must begin with an alphabetic, #, $, or@ character.

user identification and verification . The acts ofidentifying and verifying a RACF-defined user to thesystem during logon or batch job processing. RACFidentifies the user by the user ID and verifies the userby the password or operator identification card suppliedduring logon processing or the password supplied on abatch JOB statement.

user identifier (UID) . (1) A unique string of charactersthat identifies an operator to the system. This string ofcharacters limits the functions and information theoperator can use. (2) A non-negative integer, whichcan be contained in an object of type uid_t, that is usedto identify a system user. When the identity of the useris associated with a process, a user ID value is referredto as a real user ID, an effective user ID, or an(optional) saved set-user-ID. (3) The identificationassociated with a user or job. The two types of user IDsare:

� RACF user ID: A string of characters that uniquelyidentifies a RACF user or a batch job owner to the

Glossary 45

security program for the system. The batch jobowner is specified on the USER parameter on theJOB statement or inherited from the submitter of thejob. This user ID identifies a RACF user profile.

� OMVS user ID: A numeric value between 0 and2147483647, called a UID (or sometimes a usernumber), that identifies a user to OpenEditionservices. These numbers appear in the RACF userprofile for the user.

A user ID is equivalent to an account on a UNIX-typesystem. (4) A symbol identifying a system user.(5) Synonymous with user identification.

user name . (1) In RACF, one to 20 alphanumericcharacters that represent a RACF-defined user. (2) InOpenEdition MVS, a string that is used to identify auser.

user profile . A description of a RACF-defined userthat includes the user ID, user name, default groupname, password, profile owner, user attributes, andother information. A user profile can include informationfor subsystems such as TSO and DFP. See TSOsegment and DFP segment.

Vverification . See user identification and verification.

VERIFY request . The issuing of the RACROUTEmacro with REQUEST=VERIFY specified. A VERIFYrequest is used to verify the authority of a user to enterwork into the system. The VERIFY request replaces theRACINIT function.

VERIFYX request . The issuing of the RACROUTEmacro with REQUEST=VERIFYX specified. A VERIFYXrequest verifies a user and builds a UTOKEN, andhandles the propagation of submitter ID.

VM. A licensed program that controls “virtualmachines” and runs on two main command languages,CP and CMS. Can be VM/SP, VM/HPO, VM/XA, orVM/ESA.

Wworkspace data sets . VSAM data sets used by RACFfor queuing requests sent to and received from targetnodes in an RRSF environment.


How to Get Your RACF CD

Let's face it, you have to search through a ton ofhardcopy manuals to locate all of the information youneed to secure your entire system. There are manualsfor OS/390, VM, CICS, TSO/E; technical bulletins fromthe International Technical Support Organization (“redbooks”), Washington Systems Center (“orange books”);multiple levels of OS/390 Security Server (RACF)manuals; and much more. Wouldn't it be great if youcould have all of this information in one convenientpackage?

Now you can! The IBM Online Library ProductivityEdition OS/390 Security Server (RACF) InformationPackage includes key books from a wide variety ofSystem/390 operating system and application productlibraries that refer to RACF and OS/390 Security Server(including OpenEdition DCE Security Server andRACF). You can search the information package to findall the RACF hits and hints you need.

You can view and search the books on CD-ROM atyour workstation or terminal using:

� The IBM BookManager Library Reader for OS/2,DOS, or Windows**, all of which are provided at nocharge with each CD-ROM

� Any of the IBM BookManager READ licensedprograms for MVS, VM, OS/2, DOS, AIX/6000, orWindows.1

The OS/390 Security Server (RACF) InformationPackage is available as product feature code 8004 withOS/390 or as product feature code 9006 with RACFVersion 2. You can also order it through normalpublication ordering channels as SK2T-2180. If youhave any specific questions or if you'd like moreinformation about this online collection, write to us atone of the following:

� By mail, use this form. If you are mailing this formfrom a country other than the United States, youcan give it to the local IBM branch office or IBMrepresentative for postage-paid mailing.

� By FAX, use this number: (International AccessCode)+1+914+432-9405

� IBMLink (United States customers only):KGNVMC(MHVRCFS)

� IBM Mail Exchange: USIB6TC9 at IBMMAIL

� Internet: [email protected]

1 IBM BookManager READ/MVS is part of the OS/390 product.


Index

Aaccess list entry

conditional 23standard 23

ACEEALET keyword 16ADDUSER command 15administration

classroom courses xiiiadministration considerations

migration 2ALTUSER command 7, 13, 14, 15application development considerations

migration 3auditing 23auditing considerations

changed SMF records 33migration 3superuser status 6

Ccallable services

changed 6, 12new 8, 11, 12

CDTsee class descriptor table (CDT) 12

class descriptor table 1See also classes

class descriptor table (CDT)changes to 12installation-defined classes 29migration considerations 29

classesnew 12TMEADMIN 8, 31

classroom courses, RACF xiiicommands

ADDUSER 15ALTUSER 7, 13, 14, 15ALTUSER PASSWORD 13changes to 13PASSWORD 13PASSWORD USER 7PERMIT 8, 13, 14SETROPTS 10SETROPTS RACLIST 32TARGET 9, 13

compatibilityplanning considerations 23

courses on RACF xiii

CSAstorage requirement 26

customization considerationsclass descriptor table (CDT) 29RACF/DB2 external security module processing 29

customizingmigration 2

Ddata areas

changed 15changes for OpenEdition services 16changes to for new RACF FMID 16changes to for OpenEdition services 16FAST 30RCVT 16RFXP 30RUTKN 16SAFP 16

database, RACFtemplates 27

DB2 authorizationexit point 5

DB2 external security module 5

EECSA

storage requirement 27ELSQA

storage requirement 26EPLPA

storage requirement 25ESQA

storage requirement 26event codes, new for SMF records 33exits

changes to 16, 17processing 30

FFACILITY class profile 7FLPA

storage requirement 25FMID 9

Ggeneral user considerations

migration 3


getGMAP callable service 6, 12getUMAP callable service 6, 12global access checking 10

Hhardware requirements

planning considerations 22HRF2240 9

IICHEACTN macro, changes to 17ICHEINTY macro, changes to 17ICHETEST macro, changes to 17initUSP callable service 6, 12installation considerations 25

templates 27installation exits 1

See also exitsIRR@XACS 19ISPF panels

changed 19

Llibrary, RACF publications

changes to 20LOGSTR keyword 16LSQA

storage requirement 26

Mmacros

changes to 17RELEASE=2.4 keyword 17, 23

messageschanges to 17new 17

migrationrecommended strategy 21

migration considerationsadministration 2application development 3auditing 3customization 2general user 3installation 2installation-defined classes 29overview 1planning 1

migration pathfrom RACF 1.9 22from RACF 1.9.2 22from RACF 2.1 22from RACF 2.2 21

migration path (continued)from releases prior to RACF 1.9 22from Security Server (RACF) Release 1 21

Nnew and enhanced support

summary of changes 11

OOpenEdition services

auditing use of superuser status 6, 23changed panels 19changes to data areas 16definition of a system-wide default 6, 23description of enhancements 6

OS/390 OpenEdition 1See also OpenEdition services

OS/390 Security Server (RACF) Release 1migration path from 21

Ppanels

changed 19PASSWORD command 13password history

changes 31list 31

PASSWORD USER command 7PERMIT command 13, 14planning considerations

compatibility 23hardware requirements 22

planning for migrationoverview 1

PLPAstorage requirement 25

PROCESS classauditing 23

product IDchanges needed because of 10

program control by system IDadministrative considerations 31compatibility considerations 23

program profiles 23programming interfaces

changes to CDT 12data areas 15new callable service 11, 12

publicationschanges to RACF library 20on CD-ROM xiisoftcopy xii


RR_Admin callable service 8, 11RACF

classroom courses xiiipublications

on CD-ROM xiisoftcopy xii

RACF 1.9migration path from 22

RACF 1.9.2migration path from 22



RACF administrationclassroom courses xiii

RACF panelschanged 19

RACF releases prior to 1.9migration path from 22

RACF remote sharing facility 1See also RRSF

RACF security topicsclassroom courses xiii

RACF/DB2 external security module 29RACLIST keyword 10RACROUTE macro, changes to 17RACROUTE REQUEST=AUTH 10, 32RACROUTE REQUEST=FASTAUTH 16, 35RACROUTE REQUEST=LIST 10, 32RCVT data area 16RCVT value

2040 9Record Fields

SMF80DA2 33SMF80DTA 33

RELEASE=2.4 keyword on macros 17, 23, 35remote sharing 1

See also RRSFrouter table

installation-defined classes 29RRSF local nodes 9run-time library services

overview 7RUTKN data area 16

SSAFP data area 16Security Server (RACF) Release 1

migration path from 21security topics for RACF

classroom courses xiii

SETROPTS command 10SETROPTS RACLIST command 32SMF records

changes to 23, 33SMFID 8spawn service

auditing 6SQA

storage requirement 25storage for RACF

virtual 25storage requirement

virtual for RACF 25superuser status

auditing 6SYS1.SAMPLIB

change for DB2 authorization support 19system identifier 8system-wide default

for OpenEdition segment information 6

TTARGET command 9, 13TARGET command enhancements 9templates

installation considerations 27TMEADMIN class 8

Uuser private, below 16MB

storage requirement 27

Vvirtual storage requirement for RACF 25virtual storage usage for RACF 25

WWDSQUAL keyword on TARGET command 9

Index 51

Readers' Comments — We'd Like to Hear from You

OS/390Security Server (RACF)Planning: Installation and Migration

Publication No. GC28-1920-03

Overall, how satisfied are you with the information in this book?

How satisfied are you that the information in this book is:

Please tell us how we can improve this book:

Thank you for your responses. May we contact you? Ø Yes Ø No

When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your commentsin any way it believes appropriate without incurring any obligation to you.

Name Address

Company or Organization

Phone No.

Very

Satisfied Satisfied Neutral DissatisfiedVery

Dissatisfied

Overall satisfaction Ø Ø Ø Ø Ø

Very

Satisfied Satisfied Neutral DissatisfiedVery

Dissatisfied

Accurate Ø Ø Ø Ø ØComplete Ø Ø Ø Ø ØEasy to find Ø Ø Ø Ø ØEasy to understand Ø Ø Ø Ø ØWell organized Ø Ø Ø Ø ØApplicable to your tasks Ø Ø Ø Ø Ø

Cut or FoldAlong Line

Cut or FoldAlong Line

Readers' Comments — We'd Like to Hear from YouGC28-1920-03 IBM

Fold and Tape Please do not staple Fold and Tape

NO POSTAGENECESSARYIF MAILED IN THEUNITED STATES

BUSINESS REPLY MAILFIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK

POSTAGE WILL BE PAID BY ADDRESSEE

IBM CorporationDepartment 55JA, Mail Station P384522 South RoadPoughkeepsie, NY 12601-5400

Fold and Tape Please do not staple Fold and Tape

GC28-1920-03

IBM

Program Number: 5647-A01

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

GC28-192ð-ð3

ibm os 390 server user manual

Documents

installation considerations

ibm corp

ibm representative

general information

administration considerations

migration gc28

new messages

customization considerations